IPO Cybersecurity Checklist: What Do Companies Need to Know?
By Isaac Madan, CEO & Co-founder, Nightfall
IPOs seem to be rapidly accelerating, with the number of IPOs up almost 200% from last year. This can be attributed to a variety of factors, including the maturity of SPACs which saw rapid growth in the first quarter of 2021 and venture and private equity investors which are also currently well situated to capitalize on the availability of strong companies (especially in tech) that are ready to go public.
While there are many resources available for startups preparing for an IPO, one area of the process that can be difficult to navigate is how to properly implement cybersecurity. This is in part because addressing cybersecurity concerns requires anticipating both known and unknown risks. Nevertheless, putting in the work of building your cyber infrastructure before going public is critical given the costs of compliance failures as well as reputational and monetary harm.
Much of this work begins with a cybersecurity checklist. The core purpose of the checklist is twofold. The checklist is first and foremost meant to guide your organization through the due diligence process, which requires companies to have a solid understanding of organizational risks, including cyber risk. Second, the checklist is to help establish the infrastructure necessary to manage and report on cybersecurity incidents when the company is public. Developing this capability has become increasingly important, as the SEC has thoroughly articulated expectations around cybersecurity disclosures in recent years and has started taking action against firms failing to meet them.
Assembling your checklist
Very broadly, any pre-IPO cybersecurity checklist should help you accomplish the following:
- Determine data compliance obligations and risks specific to your organization
- Build an inventory of assets, software, and data that can lead to cybersecurity vulnerabilities or compliance violations if abused or exposed
- Formalize IT security processes for employee conduct, incident response, and ensure that incident reporting structures are in place
If this sounds like a lot, that’s because it is. While there’s no easy way to simplify the work that goes into addressing each of these areas, the remainder of this article will highlight some important considerations required to carry out these tasks.
Part 1: Compliance and cybersecurity risk assessment
One of the first things you must do is determine your cybersecurity and compliance risks impacting your business. As part of your S-1 filing, you’ll need to disclose material risks impacting your company, including cybersecurity risks. This discovery and assessment of risks, will likely be part of your due diligence process when working with an underwriter, and thus makes sense to carry out as early as possible. You can begin this process by:
- Reviewing and outlining cybersecurity risks and compliance obligations specific to your industry and assigning responsible parties that will own different parts of your security program, including implementation, evaluation, and enforcement. While the risk profile and compliance landscape for every organization will differ, all businesses will want to pay special attention to SOX and work cross functionally to implement security controls (SOX 404) and disclosures of changes in financial conditions & operations (SOX 409).
- Deciding upon a security framework, like SOC 2, NIST, ISO, ISO/IEC 27001, etc. to help build your security program and inform proper implementation of security controls.
Part 2: Asset inventory
Creating an inventory of IT and software security assets is another important step to take, as this will give you a sense of not only what programs and hardware your organization is using, but how they’re used and what types of information they hold. As part of this process, it’s important to assess any data or assets that third-party vendors may have access to as well, given that third-party risk can have a substantial impact on your likelihood of a security incident.
Once the asset inventory has been completed, and you’ve adopted a security framework, you can then begin mapping specific parts of your infrastructure to the controls appropriate for securing them. For example, you might choose to leverage access controls like single sign-on and cloud data protection for SaaS applications within your tech stack because you’ve determined based on how your employees use these platforms, customer data can easily proliferate within these systems.
Step 3: Formalize IT security processes
To ensure your organization’s ability to prevent and respond to future incidents, you’ll need to formalize IT processes to protect the assets you identified when building your IT inventory. Some of these processes include:
- An employee security guidebook and security awareness training
- Business continuity plans
- Incident response plans
- Vulnerability management plans
- Third party risk assessment plans
In addition to formalizing these processes, you’ll need to build out a reporting structure that will determine how effective your information security program is for properly managing risks and disclosing incidents. Special attention also needs to be given to the role the Board of Directors will play in risk oversight, as Regulation S-K requires companies to disclose the board’s leadership structure and justify the role the board plays within the organization.
Though this list is not exhaustive, this approach should serve you well in thinking through important areas of investigation for assessing your cybersecurity risk. While this is intended as a pre-IPO exercise, many of the practices outlined in this article need to be maintained once a company is public. These should be thought of as recurring exercises that will be critical to reporting on and mitigating cybersecurity risks.
The views and opinions expressed herein are the views and opinions of the author and do not necessarily reflect those of Nasdaq, Inc.